NSA's Malware Heroics Questioned By Security Experts

NSA says it thwarted a nation state's BIOS-bricking malware plot, but info security and privacy experts say the agency is trying to snow the American public.

Hackers Outsmart Pacemakers, Fitbits: Worried Yet?

(click image for larger view)

The National Security Agency (NSA) helped foil a "nation state" that planned to launch a BIOS-bricking malware attack against the United States.

That claim was delivered Sunday night in an Inside the NSA segment on CBS's 60 Minutes that was partially filmed inside the intelligence agency's headquarters.

The agency, of course, is struggling to repair its image -- and stave off additional oversight or curtailing of its intelligence-gathering techniques -- since documents leaked by former agency contractor Edward Snowden revealed how the NSA has created a massive digital dragnet that's been intercepting millions of Americans' communications and related tracking data. Industry analysts have said that the fallout from those revelations could cost technology businesses billions in lost revenue over the next few years.

If a classic counterinsurgency tactic is to make a "hearts and minds" appeal to the public at large (rather than adversaries), that's what the NSA appeared to be doing via 60 Minutes, in part by arguing that its tactics are required to stop foreign nations that are intent on disrupting US systems.

For example, Deborah Plunkett, the NSA's information assurance director -- described in the newscast as the official who directs cyberdefense -- told CBS correspondent John Miller that the agency had foiled a malware attack that would have corrupted the BIOS inside a PC, thus turning the machine into a brick. "One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability -- to destroy computers," Plunkett said. "This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would've infected the computer."

She added: "Think about the impact of that across the entire globe. It could literally take down the US economy."

But the NSA's detailing of a BIOS-attack plot that it supposedly foiled drew a tepid response from many information security professionals. For starters, that's because during the interview, Plunkett wasn't holding the type of BIOS she described -- which would be installed on a motherboard -- but rather a serial ATA controller BIOS, according to Robert David Graham, CEO of Errata Security.

In addition, nothing Plunkett said suggested that the alleged plot was anything more than script kiddies brainstorming up potential future attacks. Furthermore, the supposed plot can't be verified, based on the details that were provided, which included an unnamed NSA official pointing the finger at China. "Same as with #badbios, there's no question it's possible, whether it happened in this case, nobody knows," tweeted computer security researcher Dan Kaminsky.

Other security professionals noted that BIOS-attacking malware isn't anything new, or really all that big of a threat. Perhaps the NSA simply couldn't come up with a scarier-sounding attack?

"We experts just aren't impressed. We know how viruses work, and see nothing special here. We know how stories get distorted. We know how paranoia makes minor things look scary," Errata Security's Graham said in a blog post. "If there were something momentous here, they would say so. But instead, they used techno mumbo jumbo to confuse the typical '60 Minutes' viewer into believing something that was never explicitly stated."

Stepping back from the BIOS plot, information security and privacy experts also criticized the entire 60 Minutes segment for failing to pose the "tough questions" promised by CBS correspondent Miller, who previously worked for both the Office of the Director of National Intelligence and the FBI.

As F-Secure chief research officer Mikko Hypponen summarized the segment via Twitter: "Turns out, NSA is doing an outstanding job and Snowden is the bad guy."

Gen. Keith Alexander

Miller's interviewees included NSA director Gen. Keith Alexander, who first approached CBS about doing the news segment. But Alexander relied on evasion and doublespeak when it came to addressing some of the NSA's more contentious practices, for example when responding to questions about whether the agency hacks into datacenters run by the likes of Google and Yahoo.

"We do target terrorist communications. And terrorists use communications from Google, from Yahoo, and from other service providers. So our objective is to collect those communications no matter where they are," Alexander said. "But we're not going into a facility or targeting Google as an entity or Yahoo as an entity. But we will collect those communications of terrorists that flow on that network."

A presidential commission is reportedly preparing to recommend that some of the NSA's mass data collection practices should be curtailed or stopped. But rather than advancing any nuanced arguments about how the NSA might respond to leading political, legal, and privacy criticisms, Alexander instead argued that the status quo should prevail. "My concern on that is [especially] what's going on in the Middle East, what you see going on in Syria, what we see going on-- Egypt, Libya, Iraq, it's much more unstable, the probability that a terrorist attack will occur is going up," he said. "And this is precisely the time that we should not step back from the tools that we've given our analysts to detect these types of attacks."

Will Alexander's 60 Minutes appeal for business as usual at the NSA succeed? Let us know your opinion in the comments section below.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

@ Shane M. O'Neill, you are absolutely right. On the NSA's side, what purpose could they have achieved by arranging such poorly crafted piece? Considering the caliber of the agency, they could have done much better than this. They should have considered that market is full of security experts who would expose the whole thing and that's exactly what happened.

It served nobody any good. It's a shame that such journalistic avenues as 60 minutesin which people put their trust should become partners in someone's public relations or propaganda campaigns.It is unethical to say the least.It amounts to flouting the very tenets upon which the whole edifice of journalism is erected.

Modus Operandi of fbi: drive a person to neuroses, or insanity; set him up for a crime using fbi operatives; prosecute the confused and disoriented human being for offenses that in fact the fbi committed.

'Ask not what your country can do for you'; ask what your country can do TO you. Overthrown government of usa now controlled by very dangerous and murderous thugs (*beasts) of fbi/CIA/homeland security.

The *worldwide network of friends of the accused and terrorized who struggle in intellectual and spiritual opposition against the **human monsters of our generation thanks you, each & every one in our company, for your efforts to expose the methods and identities of the torturers and assassins of our culture; surely stopping such evil is the greatest goal or ideal of our time, and our work is therefore among the most noble of human endeavors because we labor and suffer to rid our species of the demonic-like curse and degenerative affliction that punctuate the demise or downfall of our violently corrupted civilization. Respectfully, geral *http://sosbeevfbi.com/worldwidenetwork.html

Thanks for your comment. Interesting point. But when you ask the head of the NSA if his agency is conducting a massive surveillance operation that hacks into Internet backbones or server farms to suck up millions of records from the likes of Microsoft, Google, and Yahoo, and he replies by saying "we do target terrorist communications," is that a meaningful response?

I see it a bit like asking your kid if they went to the corner grocery store and bought a Milky Way, or even 10 or 100, only to have them respond: "I do go shopping." It's a non-response. To me, it doesn't advance the discussion in any meaningful way. It's just hot air, chewing up face time on TV.

The example of Gen Alexander's 'evasion and doublespeak' didn't hold water for me. His response, whether I agree with it or not, did in fact answer the question in a cohesive manner. I had no sense of evasion and/or doublespeak in his response.

I watched the 60 Minutes piece. And it didn't seem right. Why, for example, would the ultrasecretive NSA let CBS into their building? Normally they would have no incentive to do this, but now that the public wants to see some curtials, they are on the PR offensive.

60 Minutes has really gone downhill. I guess you heard their report on Libya embassy massacre was flawed. They used sources without vetting them and reporter ran with things known not to be true. They were considering firing reporter, never heard if they did.

If NSA requested interview, you know darn well it was for propaganda purposes.

The whole time I was watching the "60 Minutes" segment I kept waiting for a counterpoint to the NSA's FUD spreading and its denial of privacy violations. Lord knows there are plent of security experts who could have provided some balance. But it never happened. The reporter was too soft and the final result was an NSA infomercial. Seems like in return for unprecedented access to NSA facilities "60 Minutes" agreed to do a puff piece.

The 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?